Cyber Security Research Institute Report Into the Internet of Things

PINNING DOWN THE IOT Cyber Security Research Institute report into the Internet of Things

Sponsored by F-Secure CONTENTS

Executive Summary ...... 3 Introduction ...... 5 The pervasiveness of the new Internet of Things ...... 7 The Connected Home ...... 9 The consumer reaction ...... 14 Coping with an ageing population ...... 14 IoMe and the IOWT: The Internet of Me and the Internet of Women Things ...... 16 The overwhelming case for regulation ...... 18 The regulator’s digital knowledge gap ...... 20 The push for regulation ...... 20 Summary ...... 21 Culture ...... 21 Taking back control ...... 21 Appropriate use ...... 22 Education ...... 22 Responsibility ...... 23

PINNING DOWN THE IOT 2 EXECUTIVE SUMMARY

In its current form the Internet of Things (IoT) represents Zigbee and Z-Wave and use those networks to link to other a considerable threat to consumers, due to inadequate devices, such as computers, handheld appliances and mobile regulations regarding its security and use. phones.

In many cases, the adoption of the technology is being driven Among the interviewees, there was a widespread belief that by businesses eager to gain valuable data from citizens, with many IoT devices would go unprotected because consumers little concern for their privacy or the protection of that data. do not know how to change the manufacturers’ default security settings. The drive to be the first to market has meant Over the next two years, the number of IoT devices entering that many manufacturers have not even considered the households is predicted to climb steeply from 9 devices per security implications of their devices. They have either not household currently, to 500 by 2022 according to the research built appropriate security measures, use inadequate measures house Gartner1, with IoT connectivity being bundled into or, in some cases, provide no settings at all to change. This products whether people want it or not. Some of the experts situation could create an even more frightening scenario than interviewed for this report such as Mikko Hypponen, chief the UK tabloid newspapers’ “phone hacking” scandal, due to a research officer for the cyber security company F-Secure, massive adoption of insecure IoT devices. which sponsored this report, said that in the future, devices without IoT capabilities may be more expensive because they'll lack data that can be harvested by manufacturers.

Another significant concern highlighted by our research was "Personal data from the the problem of long, deliberately unwieldy and confusing connected home will terms and conditions associated with the use of devices that give the manufacturer the right to collect private data and often be bought and control of how its device is being used. sold, as the result of a Earlier this year the US manufacturer I-Robot’s CEO Colin lack of awareness among Angle suggested that the manufacturer may begin to sell the floor plans of houses which its robot vacuum cleaners had consumers about what the compiled to Amazon, Apple or Alphabet, parent company of Google. The three companies did not comment on I-Robot’s IoT is and what it does." suggestion. But I-Robot’s stock price soared from $35 to $102 when Angle suggested the possibility in a Reuters interview in June. Of even greater concern is the potential for IoT devices to be turned into eavesdropping mechanisms that can hear and see All of the analysts consulted pointed out that personal data what is going on wherever they have been deployed. Online from the connected home will often be bought and sold criminals could even access and control biometric data, such with consumers largely remaining oblivious to potential as fingerprints, voices and facial images stored as digital data. implications. Numerous cases have already emerged of webcams being According to all of those interviewed, this lack of awareness hacked on computers and mobile phones in order to spy will also result in significant security risks to individuals, since on their owners.2 Other IoT devices, such as smart meters, IoT devices with limited security will easily connect to home may reveal if people are in their homes by monitoring which WiFi networks and other radio protocols such as Bluetooth, appliances are being used and which rooms are being heated.

1 https://www.gartner.com/newsroom/id/2839717 2 https://null-byte.wonderhowto.com/how-to/hack-like-pro-secretly-hack-into-switch-on-watch-anyones-webcam-remotely-0142514 https://globalnews.ca/news/2158281/what-you-need-to-know-about-webcam-hacking-and-how-to-prevent-it https://us.norton.com/internetsecurity-malware-webcam-hacking.html https://www.geek.com/tech/mark-zuckerberg-tapes-up-his-webcam-and-snowden-says-you-should-too-1659083 https://www.theguardian.com/world/2016/jun/06/surveillance-camera-laptop-smartphone-cover-tape

PINNING DOWN THE IOT 3 A recent example of this was the Mirai botnet which used IoT “The drive to be the first devices, such as web and CCTV cameras and routers, to carry out attacks on a number of internet-based businesses and to market has meant some internet service providers.

that many manufacturers Many of those industry figures involved in the development have not even considered of the IoT interviewed for this report felt that the IoT industry is aware of the security issues surrounding the technology. the security implications Meanwhile there were resounding calls for regulation of the of their devices.” technology from all of the experts we consulted. For the purposes of this report, the authors interviewed politicians, a senior police officer, cyber security specialists, One other great danger from this explosion of poorly- industry analysts, think tank observers and industry figures protected connected objects is the potential for internet involved in developing technology for the IoT. instability. Already, hacking groups have proved themselves adept at using readily available analysis tools, such as Shodan, to discover flaws in particular devices and turn them into botnets. Hackers have already created their own search systems and exploited the freemium models of other IoT search systems.

PINNING DOWN THE IOT 4 INTRODUCTION

For the average consumer, the Internet of Things may be a “We would know when things needed replacing, repairing or new concept, but it has been with us for a number of years. recalling and whether they were fresh or past their best. The Internet of Things has the potential to change the world.” Used to connect everything from toasters in Japan, elephants in Kenya, sheep in Scotland, fridges in Korea, lamps in the US, Smartness and efficiency will become the catchphrases of the buildings in Germany and clothes and furniture in Scandinavia, age. Smart phones, smart watches, smart cities, smart houses the IoT is seen as the biggest trend in tech. The latest in chip- – even smart bras, pants, pills and tampons are the new chic. objects of desire.

By using wireless networks, light waves, sound waves or hard- All of our devices will be talking to each other in a blizzard of wired connections we will be able to connect everything to data that will rapidly outpace us. According to the US telecoms the internet: computers; cars; mobile phones; food; fields; giant Cisco, by 2020 machine-generated data will exceed animals; roads; plants; planes; park benches; and people. the traffic generated by people as the sensors, servers and computers collect information from us and share it amongst We will be able to put sensors into everything, and those themselves.4 sensors will generate more and more data about us and our world. According to the computer multinational IBM, in 2016 we generated more data than we have in all the previous years for which records exist put together.3 "If we had computers Everything will be measured, and people most of all, because that knew everything it is people who both produce and consume the ‘new oil’ of the information revolution; people are both the market and there was to know about the meaning, without people there would be no data and no things... we would be machines exchanging data. able to track everything By understanding how people behave, what they are doing and how they use "things," the makers of our new smart world and greatly reduce expect to be able to fine-tune their products to make them more useful, more desirable and more efficient. waste, loss and cost."

According to the man who coined the term "the Internet of Kevin Ashton Things" in 2009, English researcher Kevin Ashton, we need a.k.a. the inventor of ‘things’ to record data because people are terrible at doing the Internet of Things it themselves: “The problem is, people have limited time, attention and accuracy – all of which means they are not very good at capturing data about things in the real world. In 2014, Cisco estimated that some 10 billion devices “Ideas and information are important, but things matter much were wirelessly connected worldwide, and by 2020 Cisco more. Yet today’s information technology is so dependent researchers predicted that that number would rise to 50 billion.5 on data originated by people that our computers know more about ideas than things. If we had computers that knew Ironically, for a technology that's all about tracking, exact everything there was to know about things – using data they figures about IoT deployment are hard to find, and the IoT gathered without any help from us – we would be able to track itself is hard to define. Dr David Pugh, an IoT analyst for everything and greatly reduce waste, loss and cost. IDTechEx, based in Cambridge, UK, comments:

3 https://www.ibm.com/blogs/insights-on-business/consumer-products/2-5-quintillion-bytes-of-data-created-every-day-how-does-cpg-retail-manage-it 4 https://www.iothub.com.au/news/m2m-devices-to-dominate-by-2020-cisco-421071 5 https://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf

PINNING DOWN THE IOT 5 “Some people will include things like smartphones, but we 1. The IoT, the sensors that generate huge amounts of data. do not. When we talk about devices on the Internet of Things we consider things which humans do not really have any 2. Big Data, the pool of data that IoT feeds, that already interaction with, things which are essentially ‘fit and forget’, includes information from our social media and from our things like counters that are monitoring the amount of people interactions with organizations like banks and phone who go through a particular toll or walk down a street, devices companies. that monitor air quality, devices which monitor traffic flow. 3. Artificial Intelligence, computer systems that perform tasks that usually require human intelligence, including hunting through Big Data to find patterns in consumer "According to the behavior. A revolution is unfolding that could be one of the greatest IoT’s evangelists, our boons to humankind in history, giving us an unparalleled insight into our lives and our relationship to the planet. By lives will become using a combination of smart technology, the IoT and the Big monitored and Data it helps to create, we should be able to improve our lives.

moderated and much But the bad news is that there is a potentially huge downside.

better as a result." The IoT has profound implications for us in terms of surveillance, privacy and consumer rights. Without rights and protections, we are at risk of becoming a component of “The sort of things which sit in the corner of a room or by the the IoT. So instead of being in control of the technology, we side of the room and collect data – that’s what we think IoT is. may end up impotent, left to the mercy of the sensors, the IoT is not really a technology but a business model, a way of databases, the servers and the analytical software engines and getting value from data because now we’re able to collect so algorithms that now roam the internet. much data.” And according to the cryptographer, author and influential Utilities – including water, electricity, communications and technologist Bruce Schneier, with the IoT we have not just transport – are already dependent on monitoring via sensors plugged sensors into AI, we have given it the means to take that connect via the internet or the IoT. action.

According to the IoT’s evangelists, our lives will become “With the advent of the Internet of Things and cyber physical monitored and moderated and much better as a result. We systems in general, we’ve given the internet hands and feet: will be able to live longer, healthier lives because we will be the ability to directly affect the physical world. What used to better understood and theoretically better cared for because be attacks against data and information have become attacks we will be the beneficiaries of the three greatest technological against flesh, steel and concrete.” movements of the early 21st century:

PINNING DOWN THE IOT 6 THE PERVASIVENESS OF THE NEW INTERNET OF THINGS

The IoT is considered to be at the cutting edge of technology. skin’ allows better interaction with and responsiveness to the But the current version (small devices connected to the environment. internet) is being swiftly overtaken by technological developments that promise a future world that is connected in In the home, smart pressure sensors and data harvesting can many different ways. even be used to warn that an elderly person is about to fall.

While many of the devices that will shortly be available in In one experiment carried out by Lussey, the magnetite our homes will connect to the internet via radio protocols material was put onto the insole of a shoe and linked to a like WiFi, there are plans in place to connect devices to the mobile phone. The sensors dected where the wearer was internet by light and sound. exerting pressure on the sole and how he or she was leaning.

Indeed, even the sensors that are due to be deployed are already undergoing steep changes, with polymers being developed that can sense a huge range of different stimuli “In the home, smart from pressure to smell. pressure sensors and “We can make a thin sheet of this material which is very easy to do because we can make it in the form of an ink that can data harvesting can detect pressure. We’ve got something that can lend itself to doing a lot of things, only some of which we can think even be used to warn of at this moment in time,” said David Lussey founder of that an elderly person Quantum Technology Supersensors, a British technologist and entrepreneur who has worked for Apple and NASA. is about to fall.”

“It can pick up sweat. It can also be charged. In its normal state, the technology gives an open circuit resistance reading, “One of the potential uses for that is that the material can but if you apply a voltage to it, it is the same as applying a also detect gait and that is very useful because people tend pressure to it. It actually sets the material into a highly sensitive to develop a change in their gait just before they are about to state and, in that state, the composite will smell things.” fall, and in the case of old people that gait change can occur several days before they actually fall.” As Lussey’s polymer-based magnetite sensors can even be contained in a compound that looks like ink, they can A "Digital Nervous System" can be created by combining inexpensively and readily be put onto and into a whole range sensing, control and optimization. In mobile devices and of different materials. gaming, intuitive multi-functional interfaces and touch screens will be able to adapt to the user, improving the As a recent press release from the company points out: the experiences whilst at the same time reducing environmental range of uses is almost inexhaustible. "They can be used impact, since the durability of the material means that it can to create interactive textiles. Additional use cases for the last for a very long time. flexible, printable and mouldable sensors include low weight, low power and low cost environmentally-friendly printable “As I said, we can make it as an ink we can put it into textiles, switches and sensors for the automotive and transportation we can make it as a filler within a polymer sheet. It is also sector, intuitive multi-functional interfaces and touch screens highly durable. If it were inside a car seat it would outlast the that can adapt to the user, and fatigue-monitoring skins and car seat and if you hit it with a hammer repeatedly you would components, for example: pressure-sensing washers. do it some damage, but it would still work,” said Lussey, adding that it would be possible to paint the material on roads or even "In the medical and healthcare markets durable, recyclable mix it into the materials used to make plane or car bodies. single or multi-touch sensors can monitor swellings. And synthetic body parts that are able to sense pressure can New technologies have already been developed that will allow be 3D-printed. Robotics and prosthetics that can simulate the IoT to respond automatically to sound data carrier signals or human-like touch sensitivity will enable the performance of audible cues, as Dr Chris Mitchell of Audio Analytics points out. delicate or rugged operations as pressure sensing ‘bionic

PINNING DOWN THE IOT 7 “We make sound cues of things like babies crying or windows “Generally speaking, the places which have deployed these being broken. We cover a range of consumer devices from technologies have found that it has reduced their bottom-line. cameras to smart speakers and headphones and things of that The reason that it’s so successful is that they have been put nature. into places that don’t require a huge amount of investment. All that it requires are a few sensors to be put on bins or “For us, we see it as extending the sensing node of a point in lampposts but they can get a return on investment within 18 the IoT to the sounds that are happening around it, and then months and that’s where the real value is. having that information fed back into the IoT, and having the devices or services that are fed into it affected by that sound’s “If you ask people on the street they don’t really see the presence. value yet. There was a survey conducted by Transport for London which said that 66% of London residents didn’t see the value in spending money on smart city infrastructure and you can understand that. There are problems with hospitals, “Enterprises are buying there are problems with police – all the other places you could be spending public money. So if you can get a return into IoT to save money. on investment very quickly that is what you want. It is very They’re doing it to either important for these projects to succeed.” get predictive maintenance These projected savings for business has prompted a stampede to adopt the technology and to generate more data or real-time monitoring – even though at the moment only 2% of the data collected is of their equipment.” analyzed, according to Pugh. So great is the stampede to develop IoT devices that in Finland Dr David Pugh it has prompted environmental concerns due to e-waste7. IoT analyst for IDTechEx This has not disheartened the large companies that are buying into the IoT revolution because the prevailing orthodoxy of the information age is that data is the new oil and that data “As an example, you have a 15-month-old girl and she cries in that is captured and stored will eventually become useful. the middle of the night and you have to keep on getting up to comfort her. So, the baby monitor hears her crying and wakes you up and at the same time the lights come on in the hallway. It’s all about making the IoT a bit more thoughtful.”

Elsewhere, the IoT has already found a home in industry and is delivering real returns.

According to the market analysts IDC, the market for IoT devices in 2015 was $800 billion. By 2020, it estimates that it will have risen to $1.3 trillion with manufacturing, transport and utilities seeing the bulk of that spending.6

Dr Pugh from IDTechEx explains: “Enterprises are buying into IoT to save money. They’re doing it to either get predictive maintenance or real-time monitoring of their equipment. They want to be able to track their assets throughout a production line or across multiple warehouses, and governments are wanting to do something very similar.

6 https://www.idc.com/getdoc.jsp?containerId=prUS42799917 7 http://nordic.businessinsider.com/finland-invests-in-printing-the-internet-of-things---to-avoid-an-global-environmental-nightmare-2016-9

PINNING DOWN THE IOT 8 THE CONNECTED HOME

The home of the future has been a staple of science fiction Tomorrowland exhibit in California, with 20 million people films, books, children’s comics and newspapers since the visiting the attraction over the course of its ten-year life. 1950s. Now a mere 60 years later, the reality is even more incredible Initially based on architectural, furniture and kitchen design, than those visitors could have imagined. The huge TV of the the futuristic concepts have always promised the same things: Monsanto House of the Future may still be with us – and the leisure, comfort, technological innovation and the use of new microwave – but now both of them are intelligent and they modern building materials. are talking to each other, using either WiFi, Bluetooth or other radio protocols. Soon they could be using sound or light.

The result is a scenario that would have astounded Tommorrowland's visitors. When the resident is ready for “What sounds like a meal, both the TV and microware will get the hint from sensors that detect the table being set. So the TV knows to a joke is actually go into sleep mode, based on data collected by the AI that a fundamentally controls the house. green proposition.” While this is going on, the microwave has started to heat the meal that has been placed inside it so that it will be ready when required. Data collected on the resident allows the microwave The first modern concept home, the Monsanto House of the to know precisely when the food will be needed. Future built in 1957, was made of plastic and designed jointly by the Massachusetts Institute of Technology, Monsanto and At the SAP Data Space in Berlin, Germany, workers use an app Walt Disney Imagineering. It featured the home technology to order their lunch at the connected staff canteen half a mile innovations of the time, the microwave oven and an enormous away from their office. The app alerts them when it is almost television and was a hit with the crowds going to Disneyland’s ready to eat, so that they just have enough time to walk to the

PINNING DOWN THE IOT 9 dining room before the cooking process is complete. Then Lights are being programmed to react to behavior, and so they tap the app, and a small individual dumb waiter delivers are heating systems. If the residents wish to over-ride those the meal to the correct person, hot and fresh. SAP’s Heike van controls, they will be able to do so simply by stating their Geel told the report’s authors: “This isn’t just about giving the wishes to their Echo, Alexa or any number of personal digital employees a cool experience. It saves time and stress because assistants now being developed. These devices are voice you don’t need to stand in a queue. So the lunch break can be activated, and the individual’s personal voiceprint will soon spent relaxing with colleagues rather than ordering food and become more important than a password. Sell your house waiting for it to be prepared. And productivity improves.” and, if you turn up the next day, the assistant will gently point out that you live elsewhere. A guest arriving at your The desire to match individual consumers with ‘Things’ that house will be treated with all of the hospitality that you have meet their needs – just in time – inspired Italian designer assigned to them based on what the AI has gleaned about Simone Rebaudengo. He envisaged a line of household your relationship. The high street bank HSBC already uses appliances, which he called Addicted Products, that are voice prints instead of passwords for its telephone banking obsessed with their own performance. They are networked service. And Mozilla, the alternative search engine company, is together and constantly improving through their own working to create a bank of open-source voices which will be machine-learning platform. They include Brad the Toaster, a available to new start-ups for use in training their algorithms prototype that actually went into production with a limited and rolling out voice-activated apps and IoT devices. run of twenty. The idea is that each toaster, like “Brad” wants to maximise the amount of toast it makes. So, if it is in a household that does not need toast every day, it can signal to the rest of its network and order a DHL courier to take it to a different house where toast might be more popular, giving the "84% of old people toaster – so to speak – greater job satisfaction. want to have IoT What sounds like a joke is actually a fundamentally green technology if it means proposition. Tapping into the “sharing economy” idea, Addicted Products can measure and move resources to where that they can stay in they are truly needed. All of those once popular bread makers and cake makers can stop gathering dust in a garage and find their house for longer." a good home.

The makers of the Monsanto House of the Future didn't think As we have seen from David Lussey’s statements, sensors can of placing intelligence into their house. But don't blame them. now be put into everything – cars, textiles, walls – even roads. It would not be until a year after the house was demolished Devices exist that connect windows with heating systems, so that Stanley Kubrick’s ‘2001: A Space Odyssey’ arrived in that in the event of a rise in carbon monoxide being detected movie theaters. In the film, HAL, a sociopathic computer, was from a boiler, the windows will open to ventilate the room. shown to the world for the first time. HAL is a computerized AI, an entity that controls the spaceship in which a number of As we have heard from Dr Mitchell, baby monitors can be astronauts are travelling. Unfortunately, HAL has an error in his connected to lighting systems, as can door key systems. One code that leads to a desire to control the lives of the people on manufacturer has created a system that allows people to board the spaceship. remotely open doors in their homes so that pets can be let outside. Visitors to the Monsanto House would not have identified the warnings in Kubrick’s masterpiece with the house of the future. Dr. Mitchell describes a scenario where a parent whose arms But there are uncanny parallels in many of the developments are filled with shopping bags or a child could open a front that are being planned for the dream home of the 21st century. door with a voice command. That voice command would then turn on the lights so that any obstacles (such as toys left In the IoT home, IP addresses – web pages – will be assigned in the hallway) could be avoided. And the door would shut to any number of ‘Things’ in houses. These will only be automatically after the parent had entered. constrained by the manufacturers of various home appliances, furniture makers and builders as to the use that they can TVs and other devices, such as heating and ovens, can be obtain from them. turned on before the owner arrives home and houses can generally be made more responsive. As we have seen, toasters can be given "intelligence." Fridges can be programmed to know what items need replenishing Perhaps the greatest benefit, according to research, is that and, given the necessary “permissions”, they can be allowed to savings can be made because sensors will turn off lighting and re-order supplies. heating when rooms are not being used. More importantly,

PINNING DOWN THE IOT 10 by connecting homes and offices to weather forecast installed on them and lack basic safeguards. The experts information, rooms can be heated more responsively. An we interviewed worry about the lack of security design, example of this is the 18th century mansion owned by IBM implementation and testing, as manufacturers move devices called Hursley House. IBM introduced a system of sensors onto the market as quickly as possible. Though other factors linked to the weather and occupancy and also found that by are the small size of the chips being used (for cost-saving connecting the system to the building’s calendar of meetings, reasons) or, because the devices are set to the manufacturer’s other savings could be made. default password settings which are often 00008 or 12349. These passwords are well known on the web, as we can see Conveniences like these may be a compelling reason to adopt from the worldwide Mirai botnet example below. Many of IoT in the home, but for senior citizens, the IoT is being seen the IoT systems that are available on the market present as a lifeline, according to James Fenner, the CEO of Silk Road, significant security issues as evidenced by reports of hacked an analytics company that works with builders. baby monitors10, web cams and CCTV systems regularly making the news. “We recently carried out a survey to find out how attractive the IoT was to people and one of the surprising things that we Search engines like Shodan11 find IoT devices that are live and found was that 84% of old people want to have IoT technology potentially vulnerable on the web now. Exploiting known if it means that they can stay in their house for longer. security weaknesses is child's play for many online criminals. In the case of the Mirai botnet, hackers created a botnet of IoT devices that could be used to attack websites on the internet.12 This was done by malware that searched for particular devices and then, once it found them, entered the default settings and “The current security took control of the systems.

on the IoT devices This inherent vulnerability in IoT system security is a particular is inadequate.” concern to Michael Barton, the Chief Constable of Durham, UK, a vocal critic of the use of IoT systems in their current form.

Michael Barton “All new technologies, all changes in the way that society is The Chief Constable of Durham, UK ordered, particularly if it is technology always has a crime harvest. So, when cars were invented people started drink- driving and stealing cars and it’s exactly the same with the Internet of Things. “The main reason that the elderly gave for adopting the technology was for health monitoring purposes, the second “The issue here is not they are being stolen but that they are reason they gave was to maintain their independence, the being used as the mechanism by which people can commit third reason they gave for having IoT technology was that it crime,” said Barton. would mean that they weren’t lonely,” said Fenner, who added that their research was already indicating a swing towards IoT. “The idea is that if you if you’ve got a fridge that is connected (More detail on the IoT and aging follows later in this report). to the internet so that you can check what’s in it or whatever you want to do, it’s not that people will want to know how “In one of our surveys, some 50% of people said that they many yogurts you’ve got and whether or not they are going owned a connected device and 30% intend to buy a device in off. It’s the fact that when they get into that fridge which the coming year. This is going to be a massive trend, by 2020 doesn’t have any protection or minimal protection, they’re Gartner have said that there will be 500 smart devices in the then through the back door into all of your other devices, average family home and the market will be worth $2 trillion. some of which will contain your bank account details. By that time, over half of the searches given by people will be voice activated.” “So, if your fridge is connected up to your local supermarket so that it can order things when they are needed, then it’s But such responsiveness in the home presents significant going to be connected to your bank account and it’s that, that security issues. Most devices have no cyber security systems is the worry. That all of these devices, none of which are seen

8 https://arstechnica.com/information-technology/2016/01/how-to-search-the-internet-of-things-for-photos-of-sleeping-babies 9 https://safeandsavvy.f-secure.com/2017/06/06/foscam-ip-cameras-insecure-iot 10 http://www.zdnet.com/article/shodan-the-iot-search-engine-which-shows-us-sleeping-kids-and-how-we-throw-away-our-privacy 11 https://en.wikipedia.org/wiki/Shodan_(website) 12 https://en.wikipedia.org/wiki/Mirai_(malware)

PINNING DOWN THE IOT 11 as that threatening or that necessary to protect, become the bother because the consumers have got no incentives to buy open back door.” secure devices? That’s where you do have a role as a regulator to sort those things out and to make sure that those incentives Barton added that the current security on the IoT devices is are in place to go for better, more secure, more privacy- inadequate: “They do have security of a sort but it’s certainly respecting devices because the market is not sorting this out.” not enough. One of the things that we need to do is to nudge consumers into making sure that these things are safe. So, for example, pretty much all of them will have factory settings that are set to four zeros or 1234. I would like to see that changed “Eventually almost every so that unless the customer changes the setting to something that they know, the device doesn’t work. household device will be

“So, there’s got to be a mixture of increasing the security and online, and they will largely also of encouraging the customer to use the security that’s be invisible to the end on offer.” user as a smart device.” While many see this sole responsibility of the manufacturers, others see a general need for consumer education about the risks of these devices. It is notable that the Barclays Bank Mikko Hypponen website in the UK now carries a large amount of information Chief Research Officer, F-Secure on the risks of technology. One international mobile phone company offers information designed to help families and young people “become more confident and resilient online." Another weakness in IoT devices is the potential for what is known in the tech community as "unintended consequences." Barton’s worries about IoT device security are shared by Emily Taylor, an associate fellow of the think-tank Chatham According to Dr Sheila Jasanoff, professor of science and House and editor of the Royal Institute of International Affairs’ technology studies at Harvard Kennedy School and author Journal of Cyber Policy. She thinks that the industry must clean of Ethics of Invention: “If technological mishaps, accidents up its act. and disasters seem unintended, it is because the process of designing technologies is rarely exposed to public view.” “You know they’re going to be able to solve this. They have the knowhow and they also have the incentives to improve The problem with the IoT is that people often do not really standards but what happens at the moment – and we’ve heard know how the devices work, or how they link together, so this again and again: why should they boost their costs? things can happen that they are unaware of and that even the manufacturers did not consider. More importantly because “They say why should they make their devices more expensive people are unaware how devices work they are also unaware by adding security and lose out to competitors who don’t of the inherent risks that they may pose.

PINNING DOWN THE IOT 12 One example of this is the IoT system that will open windows That this practice has been continued with IoT devices should in a house when it detects high levels of carbon monoxide be no surprise, as the technology industry does not want to to counter any leak from a boiler or a gas-supply. This life- prevent adoption of its products either by raising fears about saving function could have potentially fatal, unintended security or by making the installation of an online device more consequences if it opens a window when a fire had started in a difficult. house, accelerating the blaze. Companies have no incentive to emphasis privacy and Such potential scenarios could easily occur in an unregulated security, according to Mikko Hypponen, the chief research IoT market, one that does not have oversight from an officer of F-Secure, the sponsors of this report, because organization such as the US Occupational Health and Safety many companies are drawn to the IoT industry by the lure of Administration or the European Agency for Health and Safety capturing data on how consumers behave in their homes. at Work. “Eventually almost every household device will be online, and they will largely be invisible to the end user as a smart device. They will look like dumb devices, but they will be smart devices. However, they won’t offer any features to the “96% of organizations consumer because the real reason for them to be online will and 90% of consumers be for them to report analytics to the company that built the said there is a need for device. “Eventually this will involve anything that uses electricity, IoT security regulations.” anything in your kitchen – toasters, light bulbs – even your bed if it’s a controllable bed, because it’s all about analytics.

This lack of concern for customers from business and lack of “All of these companies have been to analyst briefings and awareness among consumers has prompted the Internet of they’ve been told over and over again that data is the new oil Things Alliance Australia to publish a good practice guide.13 and they look at Google and Facebook and see them making billions out of analytics, so they want to collect analytics. The Australians are not alone. Pressure for more controls and awareness is also building in the US.14 “It’s clear that some of it is useful to companies because they know physically where their customers are, and when they Many of those interviewed felt that there was a need for the are using their products, and how often they are failing. That’s insurance industry, fire departments and the police to step in valuable information and that is the main reason that the IoT to ensure that particular devices could be safely networked revolution is going to happen whether people like it or not,” together. said Hypponen.

Another scenario that is worrying industry commentators, Many consumers have not yet even considered the think-tanks and politicians is the technology industry’s cavalier implications of this one-way flow of data from their homes. attitude towards private data. This can be seen by the huge number of data breaches that are occurring on an almost daily basis at the moment.

This attitude is exemplified by the Yahoo data breach that exposed the names, email addresses and passwords of over three billion email accounts and the WannaCry ransomware attack which was the biggest of its kind, which spread over networks that hadn't run recent updates.

Further evidence of this attitude can be found in the phone hacking scandal. Voicemail accounts were only protected by default passwords and usernames assigned by mobile phone companies, which were easily obtained with an internet search.

13 http://www.iot.org.au/wp/wp-content/uploads/2016/12/Good-Data-Practice-A-Guide-for-B2C-IoT-Services-for-Australia-Nov-2017.pdf 14 https://www.ecommercetimes.com/story/84354.html

PINNING DOWN THE IOT 13 THE CONSUMER REACTION

Consumer suspicions are being aroused by the rapid adoption and carrying out other household tasks left people cold, with of connected devices. 75% of the 10,000 people contacted responding that they would rather do those things themselves than have an IoT According to a October 2017 survey conducted by Gemalto, device do them. a Dutch company which manufactures sim cards for mobile phones, 65% of consumers are worried hackers will take The frustration and confusion that the population feels control of IoT devices. The survey also found that 60% regarding technology is now a very real issue according to were concerned about their data being leaked and 54% are those interviewed for this report. It prompted many to state concerned about personal information being compromised. that there is now a need to increase awareness of cyber security issues among older people in the society who feel The research also found that 96% of organizations and 90% of disenfranchised by the technology. consumers said there is a need for IoT security regulations.

More than half of those surveyed confirmed owning an IoT device, but only 14% knew how to protect it. “Almost two-thirds of IoT manufacturers and service providers only spend 11% of their total budget on securing their devices. Two thirds of consumers are worried organizations use encryption as their main security, with 62% about IoT devices in their encrypting data as soon as it hits the device and 59% cloaking it as it leaves it. homes eavesdropping

The survey found a link between security and adoption with on their conversations.” 92% of companies reporting an increase in sales or product usage after devices have been made more secure. According to Michael Barton, waiting for IoT security issues Furthermore, 61% of businesses said regulation needs to clarify to grab headlines before action is taken would result in the who is responsible for security at each stage of data collection problems getting worse. and 55% said safeguards are needed for ensuring security compliance. “People may be frustrated with technology but they will be a damn sight more frustrated if their bank accounts are Overall, 90% of consumers and 86% of businesses said that emptied. I want a circumstance where people are alive to this governments should handle regulation of the sector. issue and are motivated to do something about it.

The Gemalto poll is only the latest in a string of surveys that “One of the things that we are trying to do is to get people show consumers are uneasy with the idea of the smart home. who are victims of online crime to tell lots of members of their own family. We’re trying to actively encourage people who are In April last year, the Mobile Ecosystem Forum contacted victims to tell their stories. There’s no doubt that people are 5,000 mobile users and found that globally 62% were unmotivated to protect themselves at the minute. concerned about their privacy and 54% were worried about threats to their home security. In the US, the figure rises to “Rather than lecturing the public, I think that the industry that 70% and it stands at 69% in France. is making billions out of this needs to take the first steps. One way of doing this would be to make sure that any device that’s Meanwhile in March 2017, a survey released by the highly sold is of merchantable quality. It’s not of merchantable quality respected market analysis firm Gartner found that almost if it means that people can steal all of your bank account two-thirds of consumers are worried about IoT devices in their details,” said Barton. homes eavesdropping on their conversations.

Perhaps even more disturbingly for the technology industry, Coping with an aging population the survey also found that most people were not convinced that they needed a smart home. Many of the benefits of a In Japan, Germany, the UK and other countries with an aging smart home, such as automating tasks around the house such population, there is a powerful social and economic driver as dimming and turning off lights, controlling heating systems for the smart home. Assistive technology and connected

PINNING DOWN THE IOT 14 devices can enable elderly people and the chronically sick or These new assisted living facilities and in-home IoT systems disabled at any age to live in their own homes. This frees up have a disadvantage, however. hospital beds that would otherwise be “blocked” by people who are not ill but simply too infirm to manage living at home They can be hacked. alone. Those beds could be earmarked instead for treating those with short-term illnesses or injuries. The so-called Researchers at the IT research firm 451 Group suggest medical “bedblockers” currently make up some 177,000 days-worth of IoT devices may represent a considerable danger to the delays affecting more than 5,900 beds a day in April this year. public.16 Statistics quoted in the Daily Telegraph showed a 42% increase year on year for November 2016 in NHS England. That situation offers cybercriminals an opportunity to hold to ransom individuals or even large groups of vulnerable Many thousands more elderly people are in care homes older people and heart patients. Or they could try an easier receiving expensive care that is not tailored to their own method and steal the data, which will soon become valuable personal needs. The smart home can solve these problems in its own right. As the healthcare industry strives to cut costs and save taxpayers millions of dollars around the world. For and produce more effective remedies by collecting data, the example, wearable IoT devices such as smart underpants and metrics produced by every patient may have value. They can bras can constantly monitor the elderly person’s heart rate, be used for good by the healthcare networks to plan better breathing, and other vital signs. services, predict epidemics and research remedies. A neutral use case would be for the insurance companies to use pooled and anonymised data to set premiums and assess risks. And the evildoers could syphon off data from patients or elderly “In addition to the cyber people and simply sell it off on the Dark Web in the same way security concerns of that they sell credit card details or passwords. In many countries, there is a tradition of donating blood, equipping patients organs and bone marrow, so there may soon come a time when it will be regarded as public-spirited to donate personal and seniors with IoT healthcare data – especially for those who are afflicted with monitoring devices, rare or hard-to-treat conditions. there are also serious In addition to the cyber security concerns of equipping patients and seniors with IoT monitoring devices, there are ethical concerns.” also serious ethical concerns. For example, if a patient or elderly person decides that the medication is giving them unwelcome side effects, they may decide to stop taking it. The data flows back to a central collection point, and the However, this failure to medicate will be observed by all their devices sound an alarm if any of the readings indicate that an tracking devices, and they will start to issue reminders. It will elderly person becomes ill, falls or forgets to take medication. be reported to their medical care team and they may decide Devices, such as the BEDDIT sleep sensor, monitor them to physically intervene, by phone or in person. Thus, their during the night and, at any time, a human intervention can be autonomy and dignity are eroded, and they no longer have summoned using a traditional community responder dongle, the freedom to control their own well-being. which might be connected to the internet or a phone system.

In Japan, this technology has advanced to humanoid robot carers and robotic cats taking the place of human family and domestic pets for some elderly people, helping them escape loneliness.

Meanwhile a further use case has developed at Hogewey and Tilburg in the Netherlands. Here staff at a home for people suffering from Alzheimer's, patients are monitored by wearable sensors or implants that can be injected under the skin.15

15 https://hogeweyk.dementiavillage.com/en 16 https://www.ft.com/content/75912040-98ad-11e7-8c5c-c8d8fa6961bb

PINNING DOWN THE IOT 15 IOME AND THE IOWT: THE INTERNET OF ME AND THE INTERNET OF WOMEN THINGS

The Internet of Things is generating sub-groups of consumers Despite the market failure of the Google Glass, many almost as fast as it is being adopted. A range of ever more observers now suggest that it was ahead of its time. The the invasive systems are being developed to improve our health, adoption and use of augmented reality (AR) and virtual reality monitor our activity and deliver personal services. (VR) Google Glass-style systems in the automotive industry and aeronautics will gradually trickle down into the home, as Chief among the devices at the heart of the ‘Internet of Me’ the public appetite for AR and VR grows. will be the smart textiles of the sort being developed by David Lussey. These fabrics of the future will allow the creation of cheap smart clothes, bedding and other close-contact systems that can be used predominantly to monitor health “Women as much as data. But they can also supply a range of other sensations, such as remote hugging. men are responsible for

Some technologies have already been with us for a number technology, and we were of years. The electronics company Philips pioneered smart major participants in the underclothes for use in health monitoring and Professor Adrian Cheok, chair of Pervasive Computing at London’s City internet revolution, for University, has developed remote sensing systems that can be used via mobile phones. good and ill.”

PINNING DOWN THE IOT 16 A number of other IoT devices have also been developed “Even when the Internet of Things is attacked — for some just that aim to provide either the wearer or another person with reasons — we should not allow the potential abuses, crimes information about the person using them. In the case of and accidents to create the rules. “Things” have always been fitness apps connected to mobile phones, this can mean that troublesome, while the frontier “Internet” of the twentieth data on an exercise regime can either be given to the wearer, century is also showing its ugly side in seamy business or shared with a doctor. practices, cyberwar and acts of repression.”

Other devices that have been developed along similar lines are From health and wellbeing wearables, such as Fitbit, through smart crash-helmets that are able to tell paramedics where a to fertility monitors, manufacturers are ready and eager to rider’s crash helmet was struck and what force was applied to deploy IoT into women’s lives. Casa Jasmina17, an open source the head at that point. laboratory that regularly hosts maker meetups, is just one space where the gender debate can be made explicit, and women’s ideas embedded in the new technology. “Women can’t be What’s more, the IOWT devices worn next to the skin, such as smart incontinence pants or internally such as the myFlow18 excluded from smart tampon, are monitoring the most intimate of bodily functions. So, special care needs to be taken with the data modernity by from these connected devices. Sensitivity and confidentiality mentioning our are essential. chromosomes.” The academic community is already grappling with this delicate issue and the high-powered PETRAS research group of eight top UK universities, convened at University College Music led to some of the earliest use cases of the Internet London, has appointed no less than Sir Nigel Shadbolt to head of Things, namely WiFi and Bluetooth headphones. Similar the team investigating the Ethics of Intimate Personal Devices. technologies will now will be with us everywhere, from the Sir Nigel, with Sir Tim Berners Lee, is one of the fathers of cradle to the grave. the World Wide Web and they are both co-founders of the London-based Open Data Institute. The PETRAS research Early adopters of IoT typically choose cool gadgets – like group is investigating all other aspects of the IoT, too. Some wireless headsets – rather than assistive technology to make of Britain’s best brains are on the case. They are not only life easier, for say, a mother of small children or safer for a examining the IoT from a legal and ethical standpoint, but also teenage girl walking home from the bus stop. Some feminist with a view to capturing British innovation and intellectual researchers and designers fear that women in general are property and spinning off inventions into industrial and being neglected as the Internet of Things rolls out, with an domestic use cases, to boost the economy. emphasis on “boys’ toys”.

To counteract this tendency, a small makers’ movement has begun to create connected devices around the idea of the Internet of Women Things (IOWT), and a house at Turin in northern Italy has been dedicated to the pioneer of IOWT, the Serbian-American designer Jasmina Tesanovic.

In her manifesto she explains: “The IoT is so alienating, and so narrowly obsessed with today’s technical and economic needs, that it might well fail altogether. It would be a shame if its profound potential was lost for a generation, in a heap of failed, too-ambitious toys, as happened to similar tech visions such as Virtual Reality. Women as much as men are responsible for technology, and we were major participants in the internet revolution, for good and ill. Women can’t be excluded from modernity by mentioning our chromosomes.”

17 http://casajasmina.cc/seven-ways-of-iowoment 18 http://www.trackmyflow.com

PINNING DOWN THE IOT 17 THE OVERWHELMING CASE FOR REGULATION

A significant majority of those contacted for this report stated, And Delvaux is indignant at the idea put forward by some generally with some regret, that there is an overwhelming manufacturers and the insurance industry that the users of the case for regulating the IoT. Internet of Things should take sole responsibility for how the devices are used, and how personal data is extracted. The need to secure every device that connects to the internet is clear, but many manufacturers aren't yet acting proactively Some people say that in return for your data, you should at to make sure all customers can keep their devices updated and least get a better service and that would be safety and security safe. As the massive scale of the potential vulnerabilities being for your vacuum cleaner," she said. "For me it’s a question of built into the IoT becomes impossible to ignore, regulators the ownership – who has access to this data? I think I should may have no choice but to act. need to give my consent before this data is sold to someone else. With our privacy regulations, we forbid that this data is given away without the consent of the consumer.”

It is not just MEPs like Delvaux who want to see regulation. “You can’t sell cars So, does Chatham House’s Emily Taylor, who said that it is where the brakes work essential for manufacturers to raise security standards. intermittently. Nor “You have to ask yourselves, why on earth are IoT devices being shipped to market without even basic security? Why is should you be able to sell it that they have no way of patching in some cases or with an open username and password, or no credentials set, or just something on the IoT 'admin' and 'password' set as the defaults? You know there are that allows people’s bank some really, really poor practices out there,” said Taylor, who is also CEO of Oxford Information Labs. She pointed out that the accounts to be emptied.” problems that the IoT poses won't just go away.

Michael Barton “Even if we started right now to insist on perfect security for all these devices, then there are still tens or hundreds of millions The Chief Constable of Durham, UK of devices out there that are poorly secured and that will take years to wash through the system.

But the case for acting before that tipping point is reached is “I think Bruce Schneier put this very well to Congress in his already being made by many who know security best. testimony on the Internet of Things. He’s saying he might replace his mobile phone once every year or two, but he will “There needs to be regulation but I'm fighting shy of heavy replace his thermostat approximately never in his house. Your regulation here. You can't sell toys with pins in them so that toaster will hang around for years, so will your fridge, so we children are blinded. You can't sell cars where the brakes work won’t have the same cycles of renewal which we saw in the intermittently. Nor should you be able to sell something on mobile phone world for example,” said Taylor. the IoT that allows people's bank accounts to be emptied,” said Durham Chief Constable Barton. Delvaux’s fellow MEP Mary Honeyball, is even more out- spoken about the need for regulation: Mady Delvaux MEP, the European Parliament’s Rapporteur on the newly-created Civil Law on Robotics, is equally sure of the “It’s getting dangerous now, so we really need to do need for new laws. something about it. We need to increase awareness of what devices do, and of the networks that they create. We can easily “We should at least have a debate and monitor what is get ourselves into a situation where a number of devices can happening with the Internet of Things and the employment create a network that can go all over the place and find that market because technology is not an objective in itself. We people don’t know what is going on in their home, and that, at want to make life easier and better, so we have to look at the the same time, find that companies can access those devices humans.” without most people being aware. That is an invasion of our privacy.

PINNING DOWN THE IOT 18 “We really need to get a grip on it. That there are medical there was now a dire need for government and business to devices with inadequate security on them is very worrying. start raising awareness with the public at large. This is going on because we haven’t taken enough notice of what’s actually happening. We need to take this very seriously. “I think the IoT represents a huge opportunity in and of itself, It does sound like sci-fi and that’s part of the problem because but I think that there are security issues that we all need to be people have difficulty in grasping just how serious this is,” aware about. I would like to see the level of public awareness said Honeyball, adding that she had particular concerns over raised. Collectively, government and industry have to make privacy. sure that people are aware of the risks the technology poses. For instance, we have to make sure that the default settings “I think companies are beginning to invade our lives too much, on these IoT devices are secure for the public and that may I actually object to the amount of data that is held on me.” require legislation or regulation.

The concern over the commercial invasion of both our property and person was common among the legislators we contacted. “We have got to get According to Chatham House’s Taylor, the terms and conditions people to understand that have become the standard modus operandi of the internet companies either need to be shrunk, or they need to what they are agreeing have the major risks prominently displayed. to, it’s a big problem.” “At the moment unfortunately, they’ve [terms and conditions] become the glue that makes online life possible. But I really Stephen Metcalfe think there is a role for consumer groups to start really Chairman of the All-Party challenging them and to start challenging unfair contract Parliamentary Committee, UK terms with consumers.”

According to Stephen Metcalfe, British Member of Parliament for South Basildon and East Thurrock, chairman of the All- “I hope the people designing the systems will see that they Party Parliamentary Committee on Artificial Intelligence and have to put security at the heart of the system. We may one of the members of the Parliamentary Select Committee need to come up with a method of assessing devices too, so on Science and Technology, it is an area of particular concern that as new products enter the market that they are given for UK parliamentarians because of the way technology something like a traffic light rating, so that the public know companies gain access to our data using complex and how secure they are. Something like a red, amber, green confusing terms and conditions. system,” said Metcalf who acknowledged one of our research’s other findings – many 21st century politicians around the “This is one of the things we are all guilty of, but we all click the world were not up to speed with technology. “One of the terms and conditions box without giving it a second thought recommendations from the Science and Technology Select every time we download an app, and we’ve no idea what we’ve Committee was that we should ask for scientists from the Alan just agreed to and what data we have just given away. Turing Centre to potentially fill that gap, so that we can start to think how we might regulate on these issues.” “We have got to get people to understand what they are agreeing to, it’s a big problem,” said Metcalfe adding that

PINNING DOWN THE IOT 19 companies like Google and Facebook and what they see as the THE REGULATOR’S impossibility of imposing workable rules upon them. DIGITAL KNOWLEDGE GAP THE PUSH FOR REGULATION For Daniel Castro, vice president of the Information Technology and Innovation Foundation, a Washington-based think tank, a lack of familiarity with technology is an issue that may be age-based. He thinks that the young people who Though there are signs of an appetite for clarity from some surround these policy makers may be the answer. large companies. That’s according to Mark Boulton, the Insurance Sector lead for the UK and Ireland for the Japanese “I think there’s a digital literacy problem that exists around multinational Fujitsu. policy makers. The good news is, most of them are surrounded by staff who are so called digital natives, who grew up in the “We could well do with a mandate that sets apart different past twenty years.” parts of the IoT to enable different types of engagement because some of these things could be so useful. It would be a Robert Belgrave isn't so hopeful. The CEO of the cloud and IoT shame not to get it right from the outset. consultancy Wirehive and a member of the British Interactive Media Association doesn't believe technology is learned by “I think security is an absolute must, the more and more osmosis. you get into services that are autonomous the greater your security has to be, if there are devices out there with no “I have friends that work in advisory capacities to Number 10 security then you can expect the worst,” said Fujitsu’s Boulton. and for some peers and there’s no-one in those buildings who seems to truly understand the problems of IoT and AI at the It’s a point that the Norwegian Dr Ovidiu Vermesan, one of higher levels and I find that deeply concerning. the world’s leading authorities on the IoT and the coordinator of the IoT European Research Cluster (IERC) of the European “We have a special interest group at Bima, a sort of sub-council Commission, is keen to make. that is dedicated to AI with some of the leading minds in the AI field and you should hear the anger and bewilderment that “I think that the regulation will create the market,” said Dr they have expressed about the fact that the AI committee in Vermesan. A lot of the companies are looking for regulation Government doesn’t have any AI experts on it. How can any because they want clarification and this is the point. Many of these people be drafting these rules without any kind of companies are eager to have the IoT regulated because that understanding of what they are trying to legislate about?” will clean the market of sub-standard devices, devices that are very cheap but without any security. Regulation should get rid It is a problem acknowledged by the MEPs Mary Honeyball of the sub-standard devices that are shiny on the outside but and Mady Delvaux, who both said that there was a need for dirty on the inside. more technological capability among legislators. “This is the problem of the connected world that we have In the US, there is a similar knowledge gap according to Gary to address because when you are connected the weakest McGraw of the US-based software company Cigital. point will betray the rest of the network, because an attacker will always penetrate through the weakest point,” said Dr According to McGraw, Europe is 18 months behind Vermesan. Washington DC when it comes to computer science and American legislators themselves aren't keeping up with their The EU finally seems prepared to act. On September 13th own tech industry. 2017, the EU announced that it was going to be implementing a certification system for all devices that connect to the “Washington lags very much behind the cutting edge of internet. Dr Vermesan confirmed that this would include IoT technology and computer security is very much at the cutting devices. edge of technology.”

The current situation plays into the hands of the technology industry. Companies attempt to evade any attempts at regulation by scaring off ill-informed politicians with tales of job losses and innovation being stifled. Often the politicians are also deterred by the sheer size of multinational data

PINNING DOWN THE IOT 20 SUMMARY

The IoT is a wonderful thing. But it needs to be regulated to attitude goes for data: as IDTechEx’s Dr David Pugh stated, protect people’s human rights – especially privacy, device only 2% of data is currently used but data is still collected, just sanctity and anonymity. And it needs to be standardized in case it can be used in the future. to optimize the interoperability and minimize the friction between the myriad things that connect to the internet. Most This may be a situation that has been addressed by the importantly, it need to be secured – at the level of every tiny European General Data Protection Regulations (GDPR) device, sensor and data collection point across the entire according to the British MP Darren Jones, who sits on the UK network. Parliament’s Science Select Committee. Jones is an MP and telecommunications and technology specialist who has been heavily involved in an EU wide review of consumer rights law. Culture Interviewed for this report, he told the authors:

One of the principle issues that this CSRI report into the IoT “Under GDPR – and don’t forget the e-privacy regulation in discovered was a cultural failing among technology companies Europe as well – when it comes to certain marketing activities to properly appreciate the fundamental rights of people. around communications networks and connected devices, the definition of personal data increases. It includes IP addresses. Driven by an appetite for profit, many of the companies So if you’re transmitting the IP address of a kettle then, in involved in the IoT have abrogated their responsibility to the my view, under the new data regulations, that’s personal broader society by sacrificing people’s privacy and security in information. Therefore the kettle’s manufacturer has to have their shareholders’ interests. a legal basis on which to collect that (data) through consent from the customer for a legitimate interest in providing the Underpinning this corporate cultural weakness is a willingness service that is the kettle.” to see people as the ‘new oil’. It is a criticism of the information revolution. Since the start of the World Wide Web, the “But they should only be collecting and using that information underlying corporate motivation has been numbers. if there’s good reason to do so. The thing with big data is that people are probably collecting too much, too frequently This worries MEP Mady Delvaux, who worries that the for what they need and it’s going into silly situations now. I obsession with mass adoption and tracking are leading us understand that some of these new smoking technologies astray. (e-cigarettes)-…apparently, they’re Bluetooth-connected and they’re collecting information on you. I don’t know what information they’re collecting or what you can collect from a cigarette, but this goes to the very heart of your question. Do consumers really understand what data it’s collecting and what “Do consumers really it’s being used for? The view is that under new data protection laws, providers will have to get better at explaining that. And understand what data we’ll have to wait and see whether that’s the case.” it’s collecting and what The EU’s GDPR and e-privacy legislation comes into force in it’s being used for?” May 2018. However, many of the other experts who informed this report suggested that companies were already pointing to vague terms in the regulations so that they can continue with their wholesale collection of data. Using the metaphor of oil, the more data you have, the bigger your potential profits, as F-Secure’s Mikko Hypponen notes. This hunger for information has been underlined Taking back control to the manufacturers by both competitors, advisors and shareholders. Manufacturers and software makers have been Several of those people interviewed for this report suggested assured that there is money in analytics and that they are that there was a need for people to take back control of missing out on a potential revenue stream if they fail to collect it. their data and to negotiate both a better deal for its use and more control over how it is used (MEP Mady Delvaux As we have seen from the comments from David Lussey, and Dr Ovidiu Vermesan). The argument is a simple one. sensors can be placed anywhere. Businesses have just not yet The internet companies have essentially taken advantage of worked out where they can put them all. The same prevailing what can only be described as a loophole in human nature

PINNING DOWN THE IOT 21 that is a manifestation of technology, the desire for instant aging people to live in their homes for longer, or for disabled gratification that technology seems to singularly encourage. people to enjoy an enhanced quality of life – and to ensure that those devices only carry out the task the device is meant Because of this, internet companies have made it an to perform. established practice that people sign up to exclusive contracts that often either unfairly strip them of their rights or gain access to significant amounts of data that represent significant invasions of privacy (a point made by Chatham House’s Emily Taylor). When united with other data culled from other “The internet companies sources, this effectively turn peoples’ homes into public have essentially taken places. advantage of what can only The majority of those interviewed for this report pointed out that this must change and that there should be a determined be described as a loophole attempt to bring companies into line with the spirit of the EU’s in human nature.” GDPR. Terms and conditions must be simpler, and they must be boiled down to an easy-to-follow summary, setting out what a contract entails and what the signatory is giving up in return for the service they receive. It was also felt that what an IoT device did to carry out a particular task should be clearly and simply spelled out. Due to a desire for instant access either to communications or Customers should know what a device does, how it does it, to services, the population at large is particularly resentful of what data it collects and why, and where that data goes. Thus anything that prevents the use of technology. Many wrongly they could know if appropriate levels of security had been regard internet-enabled device to be on an equivalent level to assigned to those functions. an electric drill or any other tool or practical device, without thinking that an internet enabled device can both supply and Many of those interviewed also stated that there was a need receive information. for parts of a network to be identified and assigned a value according to the tasks that they were given to perform in that As a result, there is little consideration of the fact that if network. The goal of this would be to increase understanding IoT devices are deliberately made so that they can perform of what the IoT is, how it connects together, and what it does. functions remotely, they can also spy on their owner and relay personal data back to a central collection point. Education

Appropriate use With that in mind, those interviewed for this report were unanimous in their calls for increased education on One of the central points of the CSRI’s research into the technology across the board, particularly citing those who deployment of IoT devices revolves around the question are 40 plus as being in need of increased technological ‘why?’ It was felt that there is a very real need to only connect awareness. It is perhaps not surprising that this would be an things that can provide a particular benefit – like enabling age group that includes most politicians, another weak link

PINNING DOWN THE IOT 22 we identified in the effort to secure the IoT. Even politicians “We are creating a society by which a totalitarian government recognized their weaknesses when it comes IoT security. can control everything. Right now, it’s more power to the Stephen Metcalfe noted that the Science and Technology powerful. And we are living in a computerised world where Select Committee is now asking for guidance from the Alan attacks are easier to create than defenses against them. This Turing Institute. is coming faster than we think. We need to address it now. People up to now have been able to code the world as they There was also common agreement on the need for both see fit. That has to change. We have to make moral, ethical and standards and for some form of certification process that political decisions about how these things should work and could be used (Stephen Metcalfe, MP), in IoT expert Dr then put that into our code. Politicians and technologists still Vermesan’s words, “to clean the market of substandard talk past each other. This has to change.” devices." But as we heard from many of our experts, politicians themselves need to rise to the occasion and get educated too, Responsibility if we are to solve this challenge.

Finally, responsibility. Often those we interviewed sought The buck can be passed forever. In a Pew Research Center to place the burden of responsibility for ensuring safety and paper published in June 2017 – "The Internet of Things security of the IoT on the technology companies, and then Connectivity Binge: What Are the Implications"19 – researchers governments. Some also said that it was the responsibility of found that the general public believes it us up to politicians to the individual who installed devices into their home to at least regulate the IoT. have some idea about what a device did, and the risks that it presented. Ironically, the politicians and police felt that the responsibility fell on the companies and the general public. They argue that, if the public fails to educate itself, vulnerabilities will only increase and society will become more and more dependent on experts to make decisions about a world in which most are “We are living in a clueless about the implications of mass data collection. computerized world Thus the ultimate conclusion of this report is that the public where attacks are should be advised of the best practices that they adopt in order to protect themselves. Governments should urgently easier to create than start public education initiatives to bring the population into defenses against them.” the 21st century. Such a course of action would not only lead to increased Bruce Schneier awareness of the threats from cyber criminals, it would also Technology commentator and author lead to a deeper understanding of the information age, potentially leading to new opportunities as a result.

While educating consumers, governments also need to As we have found, up until now, companies have been left address the quality of technology being put in consumers’ largely unregulated and the result is an increasingly insecure hands and homes. Product manufacturers must also be and increasingly dangerous environment. regulated to ensure that products which come to market are not lacking in security features or privacy measures. A bottom- Bruce Schneier, the technology commentator and author, up and top-down approach is the best way for the technology said at the Organization for Economic Cooperation and industry to move forwards responsibly with the confidence of Development’s Digital Economy Ministerial Meeting in the public behind it. Such a scenario will ultimately bring more Cancun, Mexico, in June 2016, that the situation was becoming innovation, as consumers willingly adopt more and more IoT so bad that people would go off-line. products into their lives.

“My guess is we are reaching the high-water mark of computerisation and connectivity and, in a few years, we are going to be deciding what to connect and what to disconnect and become more realistic about what can work.

19 http://www.pewinternet.org/2017/06/06/the-internet-of-things-connectivity-binge-what-are-the-implications

PINNING DOWN THE IOT 23